GMS-2019-9: Default Express middleware security check is ignored in production

November 8, 2019

Default Express middleware security check is ignored in production

Impact

All Cube.js deployments that use affected versions of @cubejs-backend/api-gateway with default express authentication middleware in production environment are affected.

Patches

@cubejs-backend/api-gateway@0.11.17

Workarounds

Override default authentication express middleware: https://cube.dev/docs/@cubejs-backend-server-core#options-reference-check-auth-middleware

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/cube-js/cube.js/issues
Reach out us in community Slack: https://slack.cube.dev/

References

github.com/advisories/GHSA-4j6x-w426-6rc6

Code Behaviors & Features

Detect and mitigate GMS-2019-9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →